The Evasive Panda Advanced Persistent Threat (APT) group, also known as BRONZE HIGHLAND and Daggerfly, has been active since at least 2012. This Chinese-speaking APT group has been conducting cyberespionage targeting individuals, government institutions, and organisations. Recently, ESET researchers have discovered a new campaign by this group, which involves the use of a custom backdoor known as MgBot.

The MgBot Backdoor

MgBot is a well-designed modular framework that is actively maintained. The components of the framework include the MgBot EXE dropper, the MgBot DLL Loader, and the MgBot Plugins. The plugins deployed in recent activities have numerous capabilities that can provide the attackers with a significant amount of information about compromised machines.

The list of modules (DLL files) includes the Kstrcs keylogger, the sebasek file stealer, the Cbmrpa clipboard logger, the pRsm audio stream capturer, the mailLFPassword and agentpwd credential stealers, the qmsdp Tencent QQ database stealer, the wcdbcrk Tencent WeChat information stealer, and the Gmck cookies stealer.

These plugins are designed to steal information from highly popular Chinese applications such as QQ, WeChat, QQBrowser, and Foxmail – all of them applications developed by Tencent.

The Evasive Panda’s Tactics

The Evasive Panda APT group has been observed to deliver malware via updates for popular Chinese software. During the investigation, the ESET team discovered that a genuine application software component secretly downloaded MgBot backdoor installers from URLs and IP addresses while updating automatically.

The researchers were left with two scenarios that could explain how the attackers managed to deliver malware through legitimate updates: supply-chain compromise and adversary-in-the-middle attacks.

Other Targets

In addition to targeting Chinese users, the Evasive Panda APT group has also been observed targeting an African telecoms firm. The group’s development of previously unseen plugins demonstrates that it is continuing to actively develop its malware and the tools it can use to target victim networks.

Mitigation and Protection

Telecoms companies will always be a key target in intelligence gathering campaigns due to the access they can potentially provide to the communications of end-users. Therefore, it is crucial for these companies to stay updated with the latest protection measures and to regularly monitor their networks for any signs of compromise.

Indicators of Compromise (IOCs)

The following IOCs have been associated with the Evasive Panda APT group:

  • MgBot Dropper: c89316e87c5761e0fc50db1214beb32a08c73d2cad9df8c678c8e44ed66c1dab, 90e15eaf6385b41fcbf021ecbd8d86b8c31ba48c2c5c3d1edb8851896f4f72fe
  • MgBot DLL Loader: 706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c36, 017187a1b6d58c69d90d81055db031f1a7569a3b95743679b21e44ea82cfb6c7
  • MgBot Plugins: cb8aede4ad660adc1c78a513e7d5724cac8073bea9d6a77cf3b04b019395979a, 2dcf9e556332da2a17a44dfceda5e2421c88168aafea73e2811d65e9521c715c, a6ed16244a5b965f0e0b84b21dcc6f51ad1e413dc2ad243a6f5853cd9ac8da0b, ee6a3331c6b8f3f955def71a6c7c97bf86ddf4ce3e75a63ea4e9cd6e20701024, 585db6ab2f7b452091ddb29de519485027665335afcdb34957ff1425ecc3ec4b, 29df6c3f7d13b259b3bc5d56f2cdd14782021fc5f9597a3ccece51ffac2010a0 ea2be3d0217a2efeb06c93e32f489a457bdea154fb4a900f26bef83e2053f4fd, 54198678b98c2094e74159d7456dd74d12ab4244e1d9376d8f4d864f6237cd79, d9eec27bf827669cf13bfdb7be3fdb0fdf05a26d5b74adecaf2f0a48105ae934, cb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5, 2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc, a16a70b0a1ac0718149a31c780edb126379a0d375d9f6007a6def3141bec6810, 0bcdcc0515d30c28017fd7931b8a787feebe9ee3819aa2b758ce915b8ba40f99

Further Reading

  1. ESET Research Article
  2. Malpedia Entry on Evasive Panda
  3. Infosecurity Magazine Article
  4. Symantec Enterprise Blogs Article